playwright-skill
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The
run.jsfile implements a 'Universal Executor' pattern. It accepts raw JavaScript code from command-line arguments, file paths, or stdin, writes this code to a temporary file (e.g.,.temp-execution-123.js), and then executes it using Node.jsrequire(). This allows for the execution of any arbitrary Node.js code, which can perform sensitive file system or network operations. - COMMAND_EXECUTION (MEDIUM): The skill frequently uses
child_process.execSyncto perform environment setup and bundling. - In
run.js, it executesnpm installandnpx playwright installautomatically if dependencies are missing. - In the included
.temp-execution-1770342857274.jsfile, it executesnpx esbuildto bundle code. - DATA_EXPOSURE (LOW): The file
.temp-execution-1770342857274.jsappears to be a leftover from the author's development environment and contains hardcoded absolute paths (/mnt/Store/Projects/Mine/Github/...), exposing the author's local directory structure. - DYNAMIC_EXECUTION (MEDIUM): The
run.jsscript dynamically wraps and modifies code strings at runtime before execution, including a reference to a non-existent helper library (./lib/helpers), which could lead to unpredictable behavior or errors during execution.
Audit Metadata